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A secure congmtpicattoa system 



10 



15 



This iavaxUon relates to a secure coiimuinicatloii system. 

Mare pattioularly^ the iavention relates to a secure oommniiiGation system which 
enables a usee of the system to send securely a message (the same noessage) to each of a 
pluraUty of other users of the system. 

One known secure communication schrane is public key cryptogn^bgr. Public 
key cryptogKqphy has 1ra£tiodDially been cox)cesned with two parties coneuaiumcatmg. 
Party A wishes to send data securefy to parly B. Party A encrypts the c&ita with party 
B's pubHc key. Par^ B decrypts the data usiqg its private k^ (coiiespondiag to its 
public k^ as used by party A). 

Public key algorithms are very slow. AGcordingly, if party A wishes to send a 
laige amoimt of data to par^ B^ party A first encrypts a symmetric session key with 
party B's public key^ and transmits this to party B. Barty A tisen encrypts the large 
amount of data using the &st ^mznetdc cipher keyed by the session key. Such a 
comtnnation of public key and symmetric techniques is termed a Iqisdd encryption 



In recent years» the hyfarid approach has been developed by use of the so caDed 
KEM*DEM philospidiy. A key encsQ)su]ation mechanism (KEM) utilises party B*5 
public key pkB to provide both a symmetric session key K, and an encryption of K 
undar pkB. This encryption will be denoted EB(K). A synmii^ic data encapsulatum 
mechanism 0>EM) &ea uses K to symmetrically encrypt the data (message) to he 
transmitted. This encryption will be denoted $EK(M}. Party A transmits to party B both 
£B(K) and SEK(M). Party B recovm K fiom EB(EQ using party B's private key skB, 
and then uses K to recover M fibom SBK(M). 



algorithm. 
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The use of the KEM^DEM pinlosopby allows the different conqioxLeats of a 
hybrid encryption scheme to be designed in isolation, leading to sioopler analysis and 
potential^ more efficient schemes. Howe^^, problems occur yfbea one departs ftom 
the traditiopal two-party setting. Party A may wish to send a large amount of data to 

5 two parties B and C. For exasspte, party A may wish to eaaypt an email to pardes B 
and C, or encrypt a j&le on party A^s conq^uter to parties B and la this case, the KEM 
would: (i) utilise paity B"" s public key pkB to pnmde both a symmettio session key KB, 
aiidanencr}7tionof KB ui:KlQ:pkB;attd (ii) utilise parly C's public key pkC to provMe 
both a furthi^ symmetric session key KC, and an encryption of KC under pkC. The 

10 DEM would ttkem (!) use KB to j^ymmetric^y encrypt the hu^e amount of data for 
party B; and (iO use KC to symnietrxcally eniaypt ibe large amount of data &r party C. 
It will be seen that the data has been encrypted twice. This is clearly inefiScient, 
particularly wh^ the amount of data is large. 

According to a first aspect of the present invention there is provided a secure 

15 communicatioii system conGprisis^: a communications network; at a sending location on 
«dd netwodc ® an enc^sulator &r providing (a) a session key» and (b) a pfairality of 
asymmetric encryptions of the session key^ each said enoryption corresponding to a 
respective leceivmg location on said netwoik; and (ii) a synux^tiic encryptor for 
utjlisiog said session key to encrypt a message; and, 9t each said rccdving location on 

20 said network: <1) a decs^sulator for decrypting the encryption of said pluralily of 
encryptions which corresponds to that receiving location to provide said session key; 
and (it) a symmetric decryptor for utilising tiie session key to decrypt the message. 

Preferably: said encapsulator comprises: a pseudo random number generator; 
symmetric key derivation means &r deriving said sessk>n key fiom a first random 
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• nutnber generated by said ps&udo landom muriber generaton means Ihr utilismg said 
first lasdom number to generate a second random number; and means for utilising the 
first kQTS of asymmetrie enMypticm key pairs of the intended recipients at the receiving 
locations tog^er with said second random number and said first random number to 
5 generate said plurality of asymmetric enioyptions of the session tey; and said 
decap^laCor at each receiving location corcgprises: means for utilising the i^cond key of 
the asymmetric encryption key pair of the recipient at the receixong location together 
wifli the asymmetric encryption coxrespondise to the receiving location to recovea: said 
first random number; and a further synnm^o key derivation means for deriving said 
10 session key from said first random number. 

Accor^Bi^ to a second aspect of the present invention tiiexe is provided a secure 
communication system comprising: a Gonmmnications network; at a sending location on 
said network an encryptor for providmg a plurality of asymmetric encryptions of a 
message, each said ejocryption corresponding to a respective receiving location on saM 
15 network^ said encryptor oonprising: means for deriving fi»m said message a Sxst 
random number; and means for utilising the first keys of asynunetric encryption key 
pairs of the intended recipients at the receiving tecations together wifli said first random 
number and said message to generate said pliuality of asymmetric encryptions of the 
message; and, at eadbi said receiving location on said network a deciyptor for decrypting 
20 tiie encryptmn of said phxraUty of encrypticms which corre^onds to that receiving 
k>cation to provide ssud message, said decryptor conopcising means for utilising the 
second key of the asynmxetcic encryption key pair of the recipient at the receiving 
location together widi the asymmetric encryption corresponding to the receiving 
location to recover the message. 
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According to a tbird aspect of fhe present ixiventioii there is provided a secure 
coxnimmicatioii method corriprising; at a sending locadort on a conoimmicaficHis 
network: (i) providing (a) a se^on key, and (b) a plurality of asymmetric encryptions 
of the sessionkev, each said encarvptam corresponding to a respective reeetving If^Katirtn 
5 on said netwoxic; and (ii) ntiiising said Kssion key to ^crypt symmetrically a message; 
and, at eadi said receiving location on said network: (J) decrypting the encryption of 
said plurality of encryptions vThich corresponds to that receiving location to i^ovide 
said session ke^^ and (S) utilising the sesi^nkey to decrypt the message. 

Preferably, said step (i) carried out at the sending location con^irises: generatizig 

10 a first random number; deriving said session key jEcom said first random niuitber; 
utilising said first random number to gen^ate a second random numlber; and iitiliRTng 
the first keys of asyxametric euCTyption key pairs of the intended recipients at the 
receiving locations tog^het with said second random numba and said first random 
number to generate said pluralify of a^rmmetric encryptions of the session k^ and said 

15 step canried out at eadi receivipg location comprises: utilismg the second key of file 
asymmetric enoyption key pmr of the recipient at the receiving location togedier vritfa 
the asymmetric encryption correspondinig to the receiving location to recover said first 
random number; and deriving said session key from said first random number. 

According to a fourth aspect of the present invention there is provided a secure 

20 comnmnication method coznprising: at a sending location on a commurdcatkms network 
proiddxQg a plurall^ of asymmetric encryptions of a message, each said encryption 
corresponding to a respective receiving location on said network, said step of providing 
said pluralify of asymmetric CTcryptions comprising: deriving from said message a first 
random number; and utilising the first keys of asyimnetric encryption key pairs of the 
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intended rerapients at the tecwving locations toge&Br wth said first landom mnnber 
and said message to generate said plurality of asymmetric encryptions of the message; 
and, at each said receiving locatbn on said uetwoik decarypting the encryption of said 
plurality of encryptions which conesponds to that receiving location to ipovidc ssad 

S inessage. said step of deoypthigoon^Bisinguti^^ 

encryption key pair of Ihe recipient at the receiving locadoa together with the 
Bsynnnetric encryption corrraponding to the receiving location to reoovw the message. 

The invention win i»w he described, hff way of example, with reference to the 
acconopanying drawii!gs» in v^iuch: 

10 Fig 1 b a block schematic diagram of a seovite comnnmication system in 

accordance with the present inventioii; 

Hg 2 is a block schenotic diagram of an OK^^salator of the j^ystem of Fig 1 ; 

Fig 3 is a blocA: schematic diagram of a decapsulator of the system of Fig 1 ; 
Figs 4 and S iOostiate an attenradve enc^psulatoi/dec^siilator oondsinatkm to 

IS thaxofFigs2and3;and 

Figs 6, 7 and 8 ilhistrate a niodification to the secnre cormnnniMtiDn sys^ 

Figs 1 to 3, and 1. 4 and 5. 

Referring to Fig I, the commonicatian system comprises: a c ommnnica tions 
ostwo!^ at a sertaing location on the network, an omcapsulator 1 and a symmetric 
20 enciyptor 3; and, at each of a phnrality of receiving locations 1, 2, 3 ... i ... n on the 
network, a deo^sulBtor 5 and a symmetric decryplor 7. 

A user located at the sendmg location wfahes to send a message M (the ^me 
message) to each of the tisers located at receiving k»cations 1 to n. Eadh of tte fsers at 
receiving locations 1 to n poraesses a posonal publlo^vate key pair assigned as part 
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of a public key cryptogcaphiy ooimmailcatiozi scheme, Tbe public/private isys assigned 
to tbe user located at receiving location 1 will be denoted pkl/^1 lespectively^ the 
public/iarivate keys assigned to the user located at i^seiving location 2 will be detiotsed 

pk2/sk2 respectively^ etc, 

5 At the sending location, public keys pkl, pk2, pk3 pki ... j&n ate supplied to 

encapsulatcr 1, which utilises tbe keys to provide respective encryptions of a session 
keyK, ie. enoapsulator 1 jnrovides an enciyptk^n of session key Ku^ 
pkl, an encryption of sessk^n key K utilismg public key pk2, etc. The encryption of K 
utilisic^ pkl will be denoted E1(K), the encryption of K utilising pk2 will be denoted 
10 E2(K3, etc- Thus, enc^psulator 1 provides E E1(K), E2(K), E3(K) ... Ei(K) ... En(K). 
fincapsulator t also provides sesskynkey K. in unencrypted fbim 

The message M to be sent is siq)plied to symmetric encryptor 3. Symmetric 
eneryptor 3 utilises tbe sessbn key K in unencrypted form provided by encapsulator 1 
to symmetrically encsypt mei^age M. The symmetric encryption of M utilising K will 
15 be denoted SEK(M). 

By means of tte communications netwodc; the sending k>cadon transnnts £ - 
El(K), E2(K), E3(K) ... E3(K) ... En(K), and SEK(M) to each of reeling locations 1 
ton. 

At xeceiviog location 1, the private key ski of the user at that location is 
20 supplied to dec^sulator 5, Dec^sulator 5 is also in receipt of transmitted B, and uses 
ski to deiacypt that part of E enciypted using the public key pkl ccnrrespondii^ to skl^ 
Le. decapsulator 5 uses ski to decrypt E1(K) to provide session key K. Decapsulator 5 
also provides a Flag to spedf^ whether the decryptk>n was successfuL Session key K is 
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supplied to symmetric decryptor 7- Symmetric decryptor 7 is also ia receipt of 
fecasstmtted SEK(M), and uses K to decrypt SEKOVO to recover message M. 

EadOi of receiving locations 2 to n operates in the same mamier as recewing 
location 1 to recover tbe message M &r the mer at the locatioii. Tbm: the decsy>salator 
5 at lecdving location 2 uses sk2 to decrypt E2(K) to 

the symmetric decryptor at locatioti 2 to decrypt SEK(M) to recover M; receiving 
locations uses ak3 to de<3cypt E3{K) to provide K, which is used to decrypt SEK(M) to 
recover M; etc. 

It will be noted that tibc ^jrstemof Fig 1 requires only one symmetry enrayption 
10 of the mcsK®e to be sent, ie. one and the same symmetric encryption of the message is 
seift to an receiving locations (SEKCM) is sent to aQ recemng locadons). 

Referring to Fig 2, encapsulator 1 of Fig 1 comprises a pseudo remdom nxmtber 
generator (FBNG) 11, a hash circuit 13, a symmetric key derivation circuit IS, a first 
series of esponefftiation. circuits 17-1 to 17-n» a second ^es of cscponeaxtiation circuits 
15 19-1 to 19^n, and a series of muitiplicatian circuits 21-1 to 21-n^ 

PRNG 11 generates a pseudo random monber N which is used: (I) by hash 
circuit 13 to generate a series of random nurnbers rl, r2, ]3 ri ...m; and (n) by 
symmetry key derivation circwit 15 to derive symmetric key K. As shown in Fig 1, 
symmr^ric key K is supplied to ^mmetric encryptor 3. Random number rl is si^pHed 
20 to esponeaitibtion circuits 17-1 and 19-1^ random number r2 is supplied to 
esqTonentiation circuits 17-2 and 19-2, etc. Random number N is sugsplied to each of 
muttipUcation circuits 21-1 to 21-n. 

Xnaddi&^nto being supplied with a random number ri: (j) each of the first series 
of exponentiation circuits 17-1 to 17-n is supplied with a fixed system parameter g (g 
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generates tbe leqoiied group, which couM» for example, be a miiltip£cative group of a 
finite field or an elliptic curve); and (S) each of the second series of eTqponentiation 
circuits 19-1 to 19-n is supplied wifii a respective public key pkl to pkn, Le, pkl is 
supplied to circuit 19-1, pk2 is suppUed to ckcuit 19-2» etc. Each of the first series of 
5 exponentiation circuits 17-1 to 17-n raises g to the power of the ri supplied to the circuit 
to provide di, ie, circuit IT-I laises g to the power of rl to provide dl - g^l, chcuit 
17-2 raises g to the power of i2 to provide d2 etc. Each of the second series of 

exponentiation circuits 19-1 to 19-n raises the pkL supplied to it by the ri supplied to it, 
ie. circuit 19-1 rais^ pkl to the power of rl to provide pkl'^rl, circuit 19^2 raises pk2 

10 to the powv of t2 to provide pik2^, etc. The output of e:»q3onentiation cirouft 19^1 is 
supplied to nmltiplicadon circuit 21-1, the output of expcmentiadon circuit 19-2 is 
supplied to ixudtiplication circuit 21-2, etc 

Muit^cation circuit 21-1 multq^lies the N supplied to it by the ouiput of 
ejqjonemiation circuit 19-1 to provide cl = N.(pkl^l), multiplication circuh 21-2 

15 muhipliesthe N supplied to it by the output of e^iponesitiatian circuit 19-2 to provide c2 
^N.Cpia'^Xetc 

The outputs cl aad dl taken together constitute E1(K), the outputs cS and d2 
tskm tog^er constitute E2(EQ, etc* 

Refeiring to Fig 3, dec^suktor 5 of Fig 1 comprises an e?q>on6iitiation cireuit 
20 31, an inversion circuit 33, a multiplication circuit 35, a ^mmetric key derivation 
chcuit 37^ ahashciicnit39, and a check circuit 41. 

Decqjsulator 5 utilises ski to decrypt EICK) (constituted by cl and dl) to 
provide session key KL Decapsulator 5 also pcovides a Flag to specify whether the 
decryption was successfiiL 
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Eiqponendalioii circiiit 31 raises dl to the power of ski, Le. circuit 31 provides 
dl'^I- Invcrsaoxi circuit 33 provides l/(dl^skl)* Multiplication cdrcuit 35 multiplies 
I/(dl^kl) by cl to provide cl/Cdl'^kl). Now, cl = N.(pkl^l), and dl = g^rl, see 
earliCT, Substituting gives Hie output of circuit 35 as N.Cpkl'^iyg'XrLskl). Now^ fiom 

S public k^ cxTptograpby, pkl = Substituting gives the output of ciccuit 35 as 

N.(gXrl.skl)yg^rl-skl) « N is siuqppEed to symmetric kisy derivation circuit 37, 
which circuit is liie same as circuit 1 5 in Fig 2. This provides thfc recovered session key 
K.N is also siq^plied to ha^ circuit 39, which circuit is the same as circuit 13 of Fig 2. 
Check circmt 41 ibises g to the power of rl as provided 1^ circuit 39, Le. circuit 41 

10 i>rovides g^l- Now, dl — g^l, see earlier. Check circuit 41 comx>ares the calculated 
g^l with dl sii(>plied to cscuit 41. If they are the some, decryption was successfiil, 
otherwise it was not. 

The operation of the decapsulators of receiving locations 2 to n of Fig 1 is 
precisely analogous to that of decapsulstor 5 of receiving location 1. 

15 The enc^sulatoi/decapsulator comhsDafjon of Figs 4 and 5 is based on tibe so 

called ElGamal encryption scheme. 

The CTC^solator of Fig 4 conq^rises a PBNG 51, a hash circuit 53, a symmetcu^ 
key derivation circuit 55, a series of e3q>onentiation circuits S7-0 to 57-n, and a series of 
multiplication circuits 59-1 to 59-n. 

20 FRNG 51 generates a pseudo random number N wbijoh is used: (i) by hash 

circuit 53 to generate a single random number r; and (if) by symmetric key derivation 
circuit 55 to doive symmfitric Icey K. As shown in Fi^ 1, symmetric key K is supplied 
to symmetric encryptor 3. Random number r is supplied to eadh of exponentiation 
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ciicuits 57-0 to 57-xt Random mmiber N is supplied to each of inuItipUcatiQii ciicuits 
59-1 to 59-n. 

In addition to being supplied with landom number r: 0) e?cponexitiat2on ciroiut 
57-0 is svppHed with a fixed system psurameter g; and (xi)_ each of esqKinendfltion 
5 circuits S7-1 to 57'-n is supplied Mritih a xespective public key pkl to pkn, Le. pkl is 
supplied to circuit 57-1^ pk2 is supplied to circuit 57-2, eto. Exponentiation circuit 57-0 
taises g to tihe power of r to provide d » g^. Each of e3q>oneDtiatioii circuits 57*i to 57*-. 
n raises the pki supplied to it by r, te. cncuit S7-I raises ^1 to the power of r to 
provide pkl^, circuit 57-2 raises pk2 to the pov^ of r to provide {ds2^, etc. The output 
10 of eiqponeiitiation cscuit 57-1 is supplied to muItq>tication circuit 59-1, the output of 
e?cponentmtion circint 57*-2 is supplbd to multi^Hcadon circuit 59-2, etc. 

Multiplication circuit 59-1 multqili^ the N supplied to it by the output of 
e3£poneritffiEtion circuit 57*1 to provide cl =^ N.Cpkl'YX multiplication circuit 59-2 
multiplies the N supplied to it by the output of esponentiatiorL circuit 57-2 to provide c2 
IS =N.Cpk2^),etc. 

The outputs cl anddtakentogethercoii^tituteElOEO* the outputs C^ 
together constitute E2(K)^ etc. 

The decqtsulaior of Fig 5 conqirises an esiponentiation circuit 71, an inversion 
circuit 73, a multiplication circoit 75, a symmetric key derxratk>n circuit 77, a hash 
20 circuit 79, axid a check circuit SI . 

The decapsulator irtOises del to decrypt EI(K> (constituted by cl and d) to 
provide session ki^ K. The decapsulator also provides a Flag to spedi^ whether the 
decryption was successful 
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E?q3OiiBntiati0& circuit 71 raises d to Ifae power of ski, Le. ciicait 71 proindes 
d^skl. Inversion circuit 73 provides l/(d^l). Multiplication circuit 75 multiplies 
l/(d^l) by cl to provide cl/Cd'^l). Now, cl = N.Cpkl'^), and d « g^r, se© earlier. 
Substituting gives the output of circuit 75 as N.(pkl^)/g^r.slcl), Now, ftom public key 
ctyptogrs^hy, idcl = g^l. Substitutmg gives the output of ciccuit 75 as 
N.(g^ru5kl)yg^r-skl) « N- N fa si^splied to symmetric key derivation circuit 77, whksh 
circuit is the same as circuit 55 in Fig 4. This provides flierecorv®ced session key K. N is 
also supplied to hash circuit 79, whidh circuit is the same as circuit S3 of Fig 4. Check 
drcoit 81 raises g to tfae power of r as provided by chront 79, i.e. circuit SI provides 
g^. Now, d = g^, see earlien Check circuit 81 coixqiares the calculated g^ with d 
supplied to circuit 81. Iftheyarethe same, decryption was successful, otherwise it was 
not 

The operation of the decapsulatcrs of receiving locations 2 to n of Fig 1 is 
predsely aimk)gou5to thatoffhe decapsulatorofreceivix^ shown in F^ 5. 

Itwinbeseenthatfheenc£^siibtoi/decs^»^^ is 
&r more efiiciraD[t than the encq)su]ator/decap$alator cond>ination of Figs 2 and 3. In 
partkailac; the combinatibn of Figs 2 and 3 requires series of random numbers rl to m 
(one random number in respect of each intended lecipi^X whereas the combinatron of 
Figs 4 and 5 requires only one landom xaunbw r (used fi>r aU recq>ients). The 
encqpsulatw of Fig 2 pfrovides the encryptions E1(K) to ]&<K> utilising pubHc keys pk 1 
to pkn, random number N, and random numbers rl to xn (derived from N). The 
enc^ulator of Fig 4 provides the encryptions E1(K) to EaQQ utHidng public keys pkl 
to pkn» jcandom mTr^ber and sdngie random number r (dmved fiom M)' 
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If the aniount of data to be sent is relatively low» the eDc^sulator/dec^)sulatQr 
combination of Figs 4 and S can ho vsed vdthovt the need tbt jSfymmetxic encryption by 
a separate symmettic eiM^ryptor as symmetric enciyptor 3 of Fig K In such case, 
xefeiritig to 4: Q PRNG 51 and symmetric key derivation circoit SS iwuM be 

5 dispensed vvdth; and (iO llie message to be sent M ivould i^I^ 

v^ouM be snp3plted to ha^ circuit S3 and each of multiplication CHCuits 59-1 to S9-n. 
Referring to Fig 5 : (0 symmetric key derivatioii circuit 77 would be dispensed wfth; and 
(ii) M instead of N *woiild be recovered by tmildplication circuit 75. If this 
en<^tyption/deatyption scheme Is used, Usex^ for security, it should be combmed with the 

10 Fujisaki-Okamoto translbmi» or similar defence against attack* For the Ftijisaki- 
Okamoto transfoixn, see E. Ftgisald and T. Okamoto, Secote integration of asymmetric 
and symmetric encryption schemes^ Advances in Ciyptology — CRYPTO 1999, 
Springer-Veriag LNC3S 1666, 537-554. 1999, 

In tbe above secure communic^on systen^ of Figs 1 to 3^ and Figs 1» 4 and 5, 

ts the enccq;>5alater is supplied willi the public keys of the intemled rec^ients (each 
iixt^ed recq>ient possesses a personal public^rivate key pair assigned as part of a 
public key cryptogr^hy communication scheme). This requires knowledge on the part 
of the sending party of the public k^s of all the intended recipients. There will now be 
* described a tnodification to tbe above systems* wbioh modification avoids tbe 

20 requirement to have knowledge of the public keys of the intended recq>ients. In the 
modification, so called identity based keys idl» id2, icO ... idi ... win must be supplied 
to fhe encapailator. An idenetity based key idi could, for example^ be based on an 
intended lecipieof's email address^ name or phone mmiber. 
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Figs 6, 7 and 8 illusteate an enc^sulatot/dacapsolator combinatioxL This 
combiDation is based on the so called Boneh-FraBklin enciyptioB scheme^ see D. Bonek 
and M. Frarfdin, IdentBy based encryption fix>m the Wril pairing. Advances in 
Cryptology - CRYPTO 2001, Springer-Verlag LNCS 2139, 213-229, 2001. Fig 6 
5 illustrates the enccvsulator located at the sending location. Fig 7 illustrates the 
decapsulator located a recerraig location 1 only. Fig 8 illustrates the dec^ulator 
locate at each of receiving to cations 2 to n. 

The enci^sulator of Fig 6 comprises a PRNO 9I» a hash circuit 93, a ^ymmrtrie 
derivation circuit 95, a series of first hasfa-to-poini circuits 97-1 to 97-n, a series of 
10 subtraction circuits 99-1 to 99-(n-l), a series of multiqplication circuits 101-(-l) to 101- 
(iirl\ a pairiotg circuit 103, a second hasb-to-point circuit lOS, and an exchislve-OR 
(XOR) circuit 107. 

FKNG 91 generates a pseudo random number N wMch is used: (i) by hash 
circuit 93 to generate a srcigle random numb» t; and (ii) by symmetric key derivation 

15 ciicuit95 toderive^ynmieliickeyK. AsstovminRgl, symmetric key K is si:^lied 
to symmetric enctyptor 3. Random xxumber r is supplied to each of multiplication 
circuits 101-*(-l) to lOl^n-l). Random number N is siqyplied to XOR circuit 107. 

Each of first hash-to-point circuits 97-1 to 97«n is sc^plied with ^ respective 
identity key idl to idii, Le. HI is supplied to circuit 97-1, id2 is supplied to circuit 97-2, 

20 etc. £tesh-to^point circuit 97-1 inq)lements a first hash-to-point algorillnn HI to ]»ovide 
Qidl, hashrto-point circuit 97-2 implements the same first hash-to-point algoritton HI 
to provide Qid2, etc. Qidl is siqpplied to mu]tiplicatk>n circuit 101-0, and each of 
subtraction circuits 99-1 to 99-(n-l). QkB is supplied to subtraction circuit 99-1, Qid3 
is supplied to subtraction circuit 99-2, etc. 
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Utilising Qidl and Qid2» ssubtxactioji circmt 99*1 inQ)lement3 a subtractioii 
algorithm SUB to provide Tl, ixtflizing Qidl and Qid3, subtraction circuit 99-2 
in:q)lenients lixe same subtraction algorithm SUB to pro'sdde T2, etc Tl is supplied to 
multiplication circuit 101-1, T2 is supplied to nniltiqplication circuit 101-2» etc. 
S Utilising r and P (a fixed system parameterwhich generates the required g;roupX 

multiplication circuit lOI-(-l) implements a multipHcation algorithm MULT to provide 
U. Utilising r and Qidl, multiplication circuit 101-0 implements the same muhtplication 
algorithm MULT to provide UO. Utilising r and TI, mnltipfication ckcuit 101-1 
uiq>lem^[its MULT to provide Ul, utilising r and T2, muit^licatton circuit 101-2 
10 implements MULT to piovMe U2, etcx 

UliUsing R (the public key of the trust authority providing the secure 
communication scheme) and UO, pairing circuit 103 in^lements a pazrixig algorithm 
PAIR to provide t to second ha^to-pofaxt drcuit 10S» Second hasb-to-ixyint drcnit 105 
implements a second hash-to-point algorithm H2 to provide W to XOR cncuit 107, 
15 XOR drcoit 107 XORs N and W to provide V (the XOR of circuit 107 coidd be 
replaced by any arbitraiy symmetric emaryption function). 

The outputs U and V taken together constitute B1(K) as transmitted by the 
sending location in Fig 1. The outputs Ul, U and V taken togetiier constitate E2CK) as 
transmitted by the srauiing location in Fig 1, the outputs U2, U and V taken together 
20 constitute E3(K) as transmitted by the sending location in 1 , the ouQsuts U3, U and 
Vtal^ together constitute £4(K^ as transmitl^b^ l,etc. 

The decapsulator of F^ 7 con^irises apaiiing circuit 1 11, a hashrto-point circuit 
113, an XOR circuit IIS, asymmetdckey derivation circuit 117, a hash circuit 119, and 
a chedc circuit 121. 
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The decapsulatar utilises the secret key SI (assigned by the trust authority) of 
the user at location I to decarypt El (K) (constituted by U and V) to provide session key 
K- The decoEisulator also provides a Flag to specify whether the decryption was 
successfhL 

5 ITtilinng SI and U, pairing circuit 111 implenjcnts pahang algpriUm PAI^ 

same pairing algorithm as inq>lemented by pairing circuit 103 of Fig to piovide t to 
hash-to-point circuit 113. Hash-to-point circuit 113 in^lements second hash-to-point 
algorithm B2 (^ same hash-to-point algorithm as implemented by second hashrto- 
point circuit 105 of Fig 6) to provide W to XOR circuit 115. XOR circuit 115 XORs W 

10 and V to provide N. N is siqvplied to synunetric key derivation circuit 117, whach circuit 
is the same as cirvnut 95 of Fig 6. Tbis provMes the recovered session key K. N is also 
supplied to hash circuit 119, which circuit is the same as circuit 93 of Fig 6. This 
provides r. Utilising t and P, check circuit 121 implements multiplication al^oxitftm 
MULT (the samoe multqdicatioa algorithm as iizq>leni^ed hy muMplicalion circuit 

15 101-(-l) of Fig 6)- Now, in Kg 6, nmttipllcation circuit I01-(-l), utilising r and P, 
provides U- Check circuit 121 con^ares tte result of its imple m entati o n of MULT with 
U siqyplied to circuit 1 21 • If fh^ are the same, decryption successful, olh^nrase it 
was not. 

The dec^sulator of Fig 8 corrpdses a first pairing circuit 131, a multiplication 
20 dccoit 133, a pomt negation circuit 135, a second paring circuit 137, a hash-to-point 
circuit 139, an XOR cfrcuit 141, a symmetric key derivation oirciut 143, a hash circuit 
145, and a check circuit 147. 
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The decapsulator xrtUises the secret key Si (1 < i < n) of the user at locatiojQ i to 
decrypt Ei(K) (constituted by U(i-l), U and V) to provide session key K. The 
dec^sulotor also i»ovkles a Flag to specify whether the decryption was siKscessjEiil. 

Utilising Si and U, jBrst pairing circuit 131 implements pairing algorithm PAIR 

5 (the same pairing algorithm as implemented by pairing circuit 103 of Fig 6) to provide 
tl to multiplication circuit 133. Utilising U(i-l) (supplied via point negation circuit 135 
which implements a point negation algorithm) and second pairing circuit 137 also 
intplements pairing algorithm PAIR to provide t2 to multiplication circuit 133. 
Multiplication circuit 133 implements multiplication algorithm MULT (the same 

10 multiplication algorithm as intplemented by multiplication circuits 101-(-l) to 101-(zh1) 
of Fig 6) to provide t to hash-to-point circuit 139. Hashrto-point circuit 139 implements 
second faash-to-point algorithm H2 (the same hash-to-point algorithm as implemented 
by second hash-to-point curcuit 105 of Fig 6) to provide W to XOR circuit 141. XOR 
circuit 141 XORs W and V to provide N. N is supplied to synmietric key derivation 

15 circuit 143, which circuit ^is the same as circuit 95 of Fig 6, This provides the recovered 
session key KL N is also si^plied to hash circuit 145, which circuit is the same as circuit 
93 of Fig 6. This provides r. Utilisiag r and P, check circuit 147 implemCTts 
multiplication algorithm MULT (the same multiplication algorithm as implemented by 
nmltiplication circuit 101-(-l) of Fig 6). Now, in Fig 6, multiplication circuit 101-(-l), 

20 utilising r and P, provides U. Check circuit 147 compares the result of its 
implementation of MULT with U supplied to circuit 147. If they are the same, 
decryption was successful, otherwise it was not. 

It will be seen that the enc^sulator/decapsulator combination of Figs 6, 7 and 8 
is again efEicieni in that it requires only one random number r (used for all recipients). 
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The enc^sulator of Fig 6 provides the encryptions E1(K) to En(BC> udlismg identity 
keys idl to idn, random number N, and single random number r (derived ftomN). 

If Hie amount of data to be sent is relatively low, the encapsulator/decapsulator 
combination of F«s 6, 7 and 8 can be used without the need for ^rmmetric encryption 
5 by a separate symmetric encryptor as symmetric enciyptor 3 of Fig 1. In such case, 
referring to Fig 6: (i) PKNG 91 and symmetric key derivation circuit 95 would be 
dispensed with; and (ii) the message to be sent M would rqplaoe N, i.e. M instead of N 
would be supplied to hash circuit 93 and XOR circuit iOTI. Referring to Fig 7: (0 
symmetric key derivation circtut 1 17 would be dispensed with; and (il> M instead of N 
10 would be recovered by XOR circuit 115. Referring to Fig 8: (i) symmetric key 
derivation circuit 143 would be dispensed with; and (it) M instead of N would be 
recovered by XOR circuit 141. If this encryption/derayption scheme is used, thrai, for 
security, it shouM be combined with the Fujisaki-Okamoto transform, or amilar 
defence gainst attadc 

15 AHhough the above deso^ion concerns two types of asymmetric cryptography, 

pubUc key and identity based, it is to be ^predated that the present uiventton is not so 
limite4 and applies also to other types of asymmetric rayptography. 
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CIaiP3s: 

1. A secure commimication system comprising: a commumcations network; at a 
sending locatk>n on said networic: (i) an encapsulator (I) for providing (a) a session key 
(K), and (b) a plurality of asymmetric encryptions of the session key (E1(K), E2(K), 
E3(K) ... Ei(K) ... En(K)), each said enoryption corresponding to a respective receiving 
location (1 to n) on said network; and (ii) a symmetric encryptor (3) for utilising said 
session key (K) to encrypt a message (M); and» at each said receiving location (1 to n) 
on said network: (i) a decapsulator (5) for deCTypting the entayption of said plurality of 
encryptfons (ElOQ, E2(K), E3(K) ... Ei(K) ... En(K)) which corresponds to fliat 
receivmg location (1 to n) to provide said session key (K); and (ii) a symmetric 
decryptor (7) for utilising the session key (K) to decrypt the message (M). 

2. A system according to claim 1 wherein: said encapsulator (1) coxnprises: a 
pseudo random number generator (51 or 91); symmetnc key derivation means (55 or 
95) for deriving said session key (K) from a fbrst random number (N) generated by said 
pseudo random number generator (51 or 91); means (53 or 93) for utilising said first 
random number (N) to generate a second random number (r); and means (57-0 to 57-n 
and 59-1 to 59-n, or 97-1 to 97-n and 99-1 to 99-(n.l) and lOl-(-l) to 101 -(nrl) and 103 
and 105 and 107) for utilising the first keys (pkl to pkn, or idl to idn) of asymmetric 
encryption key pairs (pkl to pkn and ski to skn, or idl to idn and SI to Sn) of the 
intended recipients at the receiving locations (1 to n) together with said second random 
nmnber (r) and said first random nuinber to generate said plurality of asymmetric 
encryptions of the session key (E1(K), E2(K), E3(K) ... Ei(K) ... En(K)); and said 
decapsulator (5) at each receiving location (1 to n) conaprises: means (71, 73, 75, or 
111, 113, 115 or 131, 133, 135, 137, 139, 141) for utilising the second key (ski or SO of 
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the asyimnetric enayption key pair Opki and ski. or idi and Si) of the recipient at tbe 
receiving location together wife the asymmetric enciyption (Ei(K)) correqwnding to the 
receiving location to recover said first random nxmiber (N); and a fiirther symmetric key 
derivation means (77, or 117 or 143) for demdng said session key (K) firom said first 
random number CN). 

3. A secure communication system comprising: a comraonications networic; at a ^ 
sending location on said network an encryptor (1) for providing a plurality of 
asymmetric encryptions of a message (M), each said encryption correq»onding lo a 
respective receiving location (1 to n) on said network, said encryptor compriang: means 
(53 or 93) for deriving from said message (M) a first random number (r); and means 
(57-0 to 57-n and 59-1 to 59-n, or 97-1 to 97-n and 99^1 to 99-(n-l) and 101-(-l) to 
101-(n-l) and 103 and 105 and 107) for utilising the first keys (pkl to pkn. or idl to 
idn) of a^jntmnetric encryption key pairs (pkl to pkn and ski to skn, or idl to Hin and SI 
to Sn) of fee intended recipients at fee receiving locations (1 to n) togefeer wife said 
first random number (r) and said message (M) to generate said plurality of asymmetric 
encryptions of the message; and, at each said receiving k>cation (1 to n) on said networic 
a decryptor (5) for decrypting the encryptfon of said plurality of encryptions v^feich 
corresponds to that recrfving location (1 to n) to provide said message (M). said 
decryptor (5) con^^ising means (71. 73. 75. or 111, 113. 115 or 131. 133, 135. 137, 
139, 141) for itriliQing the second key (ski or Si) of fee asymmetric encryption key pair 
(pki and dd, or idi and SO of the rec5>ient at fee receiving location together wife the 
asymmetric encryption corresponding to the receiving tocation to recover the message 
(M). 
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4, A system according to claim 3 wherein: said first and second keys (pkl to pkn,* 
ski to skn) comprise public and private keys (pkl to pkn, ski to skn) assigned to the 
recipients as part of a public key oeyptogr^hy comnmmcation scheme; said means (57- 
0 to 57-n, 59-1 to 59-n) for utilising the public keys (pkl to pkn) comprises: a series of 
first e3q»onentiatk>n means (57-0 to 57-n), one of said first exponentiation means (57-0) 
raising a fixed system parameter (g) to the power of said first random number (r) to 
provide a first output (d), each of the remainder of said first exponentiation means (57-1 
to 57-n) raising a respective public key (pkl to pkn) to the power of said first random 
number (r) to provide a second output (pki^); and a series of first mnltipUcation means 
(59-1 to 59-n), each first multiplication means (59-1 to 59-n) muttiplying a respective 
said second output (pki^) by said message (M) to provide a third ou^ut (ci), said third 
outputs (pi) of said first multiplication means (59-1 to 59-n) together with said first 
output (d) of sfidd one of said first escponentiation n:^ans (57-0) constituting said 
phirality of asymmetric encryptions of the message (M); and said means (71, 73, 75) for 
utilising the private key (ski) comprises: second exponentiation means (71) for raising 
said first output (d) to the powCT of the private key (sk^; inverston means (73) for 
inverting the output (d^"^ of said second exponentiation means (71); and a second 
multiplication means (75) for muttiplying the output (l/(d-^ski)) of said inversion means 
(73) by the said third output (ci) corresponding to the receiving location (1 to n), said 
second multiplication means (75) thereby recovering the message (M). 

5. A system according to dahn 3 wherein: said first keys (idl to idn) comprise 
identity keys (idl to idn) based on the identities of the recipients, and said second keys 
(SI to Sn) comprise corresponding secret keys (SI to Sn) assigned to the recipients as 
part of an identity based cryptography conomunication scheme; said means (97-1 to 97- 
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n, 99-1 to 99-(n-l). 101-(-l) to 101-(ii-l), 103. 105, 107) for utilising the identity keys 
(idl to idn) comprises: a series of first hash-to-point means (97-1 to 97-n). one of said 
first hasb-to-point means (97-1) utilising one of the identity keys (idl) to implement a 
first hasb-to-point algorithm (HI) to provide a first output (Qidl ), each remaining said 
first hash-to-point means (97-2 to 97.n) utiKsing a respective remaining identity key 
(id2 to idn) to implement said first hash-to-point algorithm (HI) to provide a second 
output (Qid2 to Qidn); a series of subtraction means (99-1 to 99-(n-l)), each said 
subtraction means (99-1 to 99.(r^l)) utilising said first ou^ (Qidl) together v«th a 
respective said second output (Qid2 to Qidn) to imptement a subtraction algorithm 
(SUB) to provide athird output (Tl to Tn); a series of first multipUcation means (101-(- 
1) to lOHn-D). one of said first multiplication means (10l-(-l)) utilising said first 
random number (r) and a fixed system parameter (P) to implement a mnlt?>lication 
algorithm (MULT) to provide a fourth output (U), another of said first multiplication 
nieans (101-0) utilising said first random number (r) and said first output (Qidl) to 
implement said multiplicafion algorithm (MULT) to provide a fifth output (UOX each 
remainmg said first multipUcation means (lOl-l to 101-(n-l)) utilising said first random 
manber (r) together with a respective said third output (Tl to Tn) to implement said 
irxult5»Bcatk)n algorithm (MULT) to provide a sixth output (Ul to U(n-1)); first pairing 
means (103) for utilising a pubUcly available key (R) together with said fifth output 
(UO) to implement a pairing algorithm (PAIR) to provide a sevenfli output (t); second 
hash-to-point means (105) for utilising said seventh output (t) to implement a second 
hash-to-point algorithm (H2) to provide an eighth output (W); and symmetric 
encryption means (107) for utilising said message (M) together with said eighth output 
(W) to inq)lement a symmetric encryption function to provide a nintii output (V), said 
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fotirtb, sixth and ninth outputs (U, Ul to U(n-1), V) together constituting said plurality 
of asymmetric encryptions of the message (M); and said means (111, 113, 115 or 131, 
133, 135, 137, 139, 141) for utilising the secret key (Si) comprises: at one receiving 
location (1) of said receiving locations (1 to n): second pairing means (1 1 1) for utilising 
the secret key (S 1) of the recipient at the receiving location (1) tog^her with said fourth 
output (U) to implement said pairing algorithm (PAIR) to provide a tenth output (t); 
third hashrto-point means (113) for utilising said tenth output (t) to implement said 
second hash-to-point algorithm (H2) to provide an eleventh output (W); and symmetric 
decryptk>n meeans (115) for utilising said eleventh output (W) togetfara vrith said ninth 
output (V) to implem^ a symmetric decryption fiinction corresponding to said 
symmetric encryption function to recover said message (M); and at each remaining 
receiving location (2 to n): third pairing means (131) for utilising the secret key (Si (1 < 
i < n)) of the recipient at the receiving tocation (2 to n) together with said fi)urth output 
(U) to implement said pairing algorithm (PAIR) to provide a tweijSh output (tl); point 
negation means (135) for utilising the said sixth output (Ul to U(n-1)) corresponding to 
the receiving location (2 to n) to ixnplement a point ne^ition algorithm to provide a 
thirteenth output; jfourth pairing means (137) for utilising said thirteenth output tog^faer 
with said publicly available key (R) to implement said pairing algorithm (PAIR) to 
provide a fourteenth output (t2); second multiplication means (133) for utilising said 
twelfth and fourteentib outputs (tl, t2) to inclement said multqilication algorithm 
(MULT) to provide a fifteenth output (t); fourth hash-to-point means (139) for utilising 
said fifteenth output (t) to inq>lement said second faash-to->point algorithm (H2) to 
provide a sixteenth output (W); and further symmetric decryption means (141) for 
utilising said sixteenth output (W) together with said ninth output (V) to implement a 
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symmetric decryption function conesponding to said symmetric encryption function to 
lecover said tasssage (M). 

6. A secure communication method conqmsing: at a sending location on a 
communications networic: ® providing (a) a sesaon key (K), and (b) a plurality of 
asymmetric encryptions of the session ksy (E1(K), E2CK). E3CK) ... Ei(K) ... En<K)), 
each said encryption corresponding to a respective receiving location (1 to n) on said 
networic and (u) utilising said session key (K) to encrypt symmetrically a message (M); 
and, at each said receiving location (I to n) on said networic (0 decrypting the 
encryption of said plurality of encryptions CE1(K), E2(K), ESOQ ... Ei(K) ... En(K)) 
which corresponds to that receiving location (1 to n) to provide said sesaon key. (K); 
and (iO utilifflng the session key (K) to deCTypt the message (M). 

7. A method according to claim 6 wherein: said step ©carried out at the sending 
k>cation comprises: generating a first random number (N); deriving said session key (K;^ 
from said first random number CN); utilising said first random number (N) to generate a 
second random number (r); and utilising the first keys Cpkl to pkn. or'idl to idn) of 
asymmetric encryption key pairs (pkl to pkn and ski to den, or idl to idn and SI to Sn) 
of the intended recipients at the receiving tocations (1 to n) together with said second 
random number (r) and said first random number CN) to generate said plurality of 
asymmelric encryptions of the session key (E1(K), E2(K). ESCK) ... Ei(K) ... En(K)); 
and said step (i) carried out at each receivmg location (1 to n) conqvises: utiliax^ the 
second key (ski or of the asymmetric encryption key pair Cpki and dd, or idi and Si) 
of the recipient at the receiving location togetfarar with the asymmetric encryption 
(Ei(K)) corresponding to the recrfving k>cation1o recover said first random nuniber (?J); 
and deriving said session key (K) from said first random number (N). 
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8. A secure communicatian ooetfaod comprising: at a sending • location on a 
communicatioiis network providing a plurality of asymmetric encryptions of a messt^e 
(M), each said encryption corresponding to a respective receiving location (1 to n) on 
said network, said step of providing said plurality of asymmetric encryptions 
con^jrising: deriving from said message (M) a first random number (r); and utilising the 
first keys (pkl topkn, or ull tokin) of a^jmunetric encryption key pafrs (pkl to pkn and 
ski to skn, or idl to idn and SI to Sn) of the intended rec5>ients at the receiving 
locations (1 to n) together with said first random number (r) and said message (M) to 
generate saki plurality of asymmetric encryptions of the message; and, at each said 
receiving k>cation (1 to n) on said netwodc decrypting the encryption of said phirality of 
arayptions which corresponds to that receivmg location (1 to n) to foovide said 
message (M), ^d step of decrypting comprisnig utilising the second k^ (dci or Si) of 
the asymmetric encryption key pair ^ and ski, or idi and Si) of the recipient at the 
leceiwng tocatton together vnBx the astymmetric encryption coitcspondii^ to the 
receiving location to recover the message (M). 

9. A n^tfaod accoidu^ to claim 8 \idierein: said first and second keys (pkl to pkn, 
del to skn) comprise public and private keys (pkl to pkn, ski to skn) asingned to the 
reorients as part of a poblk: key cryptogr^hy communication scheme; said step of 
utilising the pubUc keys (pkl to jdm) comprises: raising a fixed system parameter (g) to 
the power of saW first random nonxber (r) to provide a first oulput (d); xaismg each 
public key (pkl to pkn) to the power bifsaid first random numb» (r) to provide a second 
output (pki^y; and multiplying each said second output (pkilr) by said mess^e (M) to 
provide a third output (ci), said third outputs (ci) together wifli said first ou^ut (d> 
constituting said phjrality of asymmetric enciyptions of the message (M); and said step 



Jan 04 17: 14 



25 P/64001.GBP/P132 
of utilismg the private key (sld) comprises: raising said first output (d) to the power of 
the private key (ski) to provide a fourth output (d'^ki); inverting the fourth output 
(d'^ to provide a fifth output (l/Cd'^); and multiplying the fifth output il/(d^^ 
by the said third output (cT) corresponding to the receiving location (1 to n) to recover 
the message (IwO- 

10. A method according to claim 8 wherein: smd first keys (idl to idn) con5>rise 
identity keys (idl to idn) based on the identities of the recipients, and said second keys 
. (SI to Sn) comprise corresponding secret keys (SI to Sn) assigned to the recipients as 
part of an identity based cryptogr^hy communication scheme; said step of utilising the 
identtty keys (idl to idn) conqwises: utilising one of the identity keys (idl) to implement 
a first hash-to-point algorithm (HI) to provide a first output ((^1); utilising each 
remaining identity key (id2 to idn) to inq>lement said first haato-to-point algoriflrai (HI) 
to provide a second output (Qid2 to C^dn); utilising said first ou^ut (Qidl) together 
with each said second output (Qid2 to Qidn) to m^lement a subtraction algorithm 
(SUB) to provide a third ouQnit (Tl to Tn); utilising said first random number (r) and a 
fixed system parameter (?) to implement a multirpUcation afeorithm (MULT) to provide 
a fourth output (U); utilismg said first random number (r) and said first output (Qidl) to 
implement said rauhiplicatian algorithm (MULT) to provide a fifth output (UO); 
utifi^g said first random number (r) together with each said third output (Tl to Tn) to 
implemeiit said muMplication algorithm (MULT) to provide a axfh output (Ul to U(nr 
1)); utilising a publicly avsulable key (R) togetiier with said fifth output (UO) to 
inclement a pairing algoriflim (PAIR) to pro^nde a sevenfli ou^ (t); utilising said 
seventh output (t) to implement a second hash^o-pouit algprithm (H2) to provide an 
eighth output (W); and utilising said message (M) together with said eighth output (W) 
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to implement a symmetric encryption function to provide a ninth output (V), said 
fourth, sixth and ninth outputs (U, Ul to U(n-l)i V) togetiier constituting said plurality 
of asymmetric encryptions of the message (M); and said step of utilishig the secret key 
(Si) comprises: at one receiving location (1) of said receiving locations (1 to n): utilising 
the secret key (SI) of the recipient at the receiving location (1) together with said fourth 
output (U) to implement said pairing algorithm (PAIR) to provide a tenth output (t); 
utilising said tenth output (t) to implement said second hash-to-point algorithm (H2) to 
provide an eleventh output (W); and utilising said eleventh output (W) together with 
said ninth output (V) to implement a ^^ymmetric decryption fimction conesponding to 
said symmetric en^yption fimction to recover said nsessage (M); and at each remaining 
receiving location (2 to n): utilising the secret key (Si (1 < i < n)) of the recipient at the 
receiving location (2 to n) together with said fourth output (U) to implement said 
pairing algorithm (PAIR) to provide a twelfth output (tl); utUising the said sixth output 
(Ul to U(n-1)) coiresfpondii^ to the receiving location (2 to n) to implement a point 
negation algorithm to provide a thirteenth output; utilising said thirteenth output 
together with said pubUcly available key (R) to implement said pairing algorithm 
(PAIR) to provide a jfourteenfh output (t2); utilising said twelfth and fourteenth outputs 
(tl, t2) to implement said multiplication algorithm (MULT) to provide a fifteenth output 
(t); utilising said fifteen^ ou^ut (t) to implement said second hash-to-point aJ^orithm 
(H2) to provide a sixteenth output (W); and utilising said sixteenth output (W) together 
with said ninth output (V) to implement a symmetric decryption Amotion corresponding 
to said symmetric encryption function to recover said message (M), 
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